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REMARKS 

Claims 1-12, 16-22, 26-32 and 36-39 are pending in the present application. Claims 1 3- 
15, 23-25 and 33-35 were canceled; claims 18, 28 and 38 were amended; and no claims 
were added Reconsideration of the claims is respectfully requested. 

I- 35 U,S,C> S 1 03. Obvionsness. Claims 1-10. 12, 20. 22. 30 and 32 

The Examiner has rejected claims 1-10, 12, 20, 22, 30 and 32 under 35 U.S.C § 
1 03 as being unpatentable over Amold et al (5440723) (hereinafter "Amold'") in view of 
ServerWatch - Network Associates Ships CybeiCop Sting (hereinafter "ServerWatch"). 
This rejection is respectfully traversed. 

As to claims 1-10, 12, 20, 22, 30 and 32, the Office Action states: 

With respect to Claim 1, Amold et al meets the limitation of "a 
local server" on Fig. 1 A; and "a plurality of client data processing 
systems" on Fig. IB; and **. . .broadcasts an indication that a virus attack is 
underway to all devices within the network data processing system" on 
column 2, lines 30-33, column 24, lines 32-42; and "ignores all furflier 
access requests by the offending system until receiving an indication that 
the offending system has been disinfected, and directs the local server to 
disconnect the offending system ftom the network data processing 
system" on column 5, lines 59-65, and on column 24, lines 44-57. Arnold 
however does not meet the following limitation- 

The Umitation of "a bait server, wherein the bait server monitors 
itself and, responsive to an attempt from an offending system within the 
network data processing system to access the bail server" is met by 
ServerWatch on pages 1 and 2< 

It would have been obvious to combine the teachings of 
ServerWatch within the system of Arnold et al because the bai l server 
provides a dedicated, convenient and less expensive way of monitoring a 
large network. A dedicated bait server requires less maintenance than 
multiple decoy programs/servers and hence simplifies an administrator's 
job of protecting the network. It is obvious to ignore all fuOrther access 
requests from the offending system until the infected system is uninfected 
so as not to spread the virus to the rest of the network. 



Office Action dated October 5, 2004, page h 



A fundamental notion of patent law is the concept that invention Ucs in the new 
combination of old elements. Therefore, a rule that every invention could be rejected as 
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obvious by merely locating each element of the invention in the prior art and combining 
the references to formulate an obviousness rejectipn is inconsistent with the very jiature 
of "invention." Consequently, a rule exists that a combination of references made to 
establish aprima facie case of obviousness must be supported by some teaching, 
suggestion, or incentive contained in the prior art which would have led one of ordinary 
skill in the art to make the claimed invention. 

The Examiner bears the burden of establishing a prima facie case of obviousness 
based on the prior art when rejecting claims under 35 U.S.C § 103. In re Fritch, 972 
F.2d 1260, 23 U.S.P.Q.2d 1780 (Fed. Cir. 1992). 

Additionally, in comparing Arnold and ServerWatch to the claimed invention, the 
claim limitations of the presently cla imed invention may not be ignored in an 
obviousness determination. 

The present invention, in independent claim 1, recites: 

1 . A network data processing system for identifying, locating, and 
deleting viruses, comprising: 
a local server; 

a plurality of client data ptxjcessin g systems; and 
a bait server, -vvheTein 

the bait server monitors itself and, responsive to an attempt fixjm 
an offendmg system witliin the network data processing system to access 
the bait server, the bait server broadcasts an indication that a vims attack is 
underway to all devices within the network data processing system, 
ignores aU further access requests by the offending system until receiving 
an indication that the offending system has been disinfected, and directs 
the local server to disconnect the offending system from the network data 
processing system. 

Arnold docs not teach the feature of "directs the local server to disconnect the 
offending system from the network data processing system." The Examiner points to 
column 5, lines 59-65 and column 24, lines 44-57 of Arnold as teaching this feature: 

If the anomaly is found to be due to a known virus or some slight 
alteration of it, the method proceeds to Step B 1 where the user is alerted 
and the virus removed (killed) by traditional methods, such as restoration 
&om backup (either automatically or manually by the user) or disinfection 
(removal of the virus from all of the software it has infected.) In general. 
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disinfection is only acceptable if the virus is found to be an exact copy of a 
known vims. This implies that the system verify the identification made 
by the virus scanner. 

If VIRSCAN (Block 0) has identified one or more infected files, an 
attempt is made to restore each infected file to an uninfected condition. 
VERY is capable of removing many of the most common viruses from 
infected files by determining whether tlie virus is an exact copy of one that 
it is capable of removing. If so, VERY removes the virus. If the virus 
cannot be removed by VERY, an automatic restore irom a tape backup or 
fi-om a read-only directory on a server, or from anotlicr machine on the 
network is attempted. If an automatic restoration of the infected file cannot 
be accomplished, the user receives a message describing the situation, 
with instructions for manually restoring the file from backup. 

Neither of the above cited passages teaches the feature of ''directs the local server 
to disconnect the offending system from tlie network data processing system/' The first 
cited passage, column 5, lines 59-65, teaches that when a virus is found, the user is 
alerted and an attempt is made to eliminate the virus. The second cited passage, column 
24, lines 44-57, teaches that once a virus has been detected VERY tries to eliminate the 
virus. If YERV is unsuccessful, then an automatic restoration of backup files is 
attempted. If that fails, a message is generated and sent to the user, instructing the user to 
manually restore the files from backup. Neither passage, when read separately or 
together, teaches the feature of "directs the local server to disconnect the offeoding 
system from the network data processing system." Therefore, the proposed combination 
does not result in the claimed invention. Accordingly, the Examiner has failed to state a 
prima facie case of obviousness. 

Furthennore, nowhere does Arnold teach or suggest the feature of "directs the 
local server to disconnect the offending system from the network data processing 
system." Arnold describes a process whereby, when a virus is detected, other computers 
are notified. This notification does not include any instructions to "disconnect the 
offending system fi-om the network data processing system." Instead, Arnold teaches that 
this signal, the kill signal, merely contains information and is intended primarily to 
inform neighboring computers of an anomaly existing and secondarily to induce them to 
begin their own virus protection routines, as explained in a passage in column 1 9, line 58 
through column 20, line 1 1 : 
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The kill signal may take a variety of forms and provide as little or 
as much information as is appropriate or practical. For example, in one 
embodiment the infected computer simply sends an "I'm infected" signal 
(one bit of iofoimation) to its neighbor(s) whenever it cntca^ Step B (Scan 
for Known Viruses), thereby inducing all of the neighbors to also enter 
Step B themselves. In another embodiment, the infected computer sends 
an "I'm infected" signal after it has cleaned itself up (completed Step B 
successfiilly), and also sends the name of the virus (if it was previously 
known) and its signature(sX whether the virus was previously known or 
not. The signature(s) may have been determined in Step ,R In a further 
embodiment, the infected computer sends an "I'm infected" signal when it 
enters Step C- i.e., after it fails to identify the anomaly as a known virus, 
thereby inducing its neighbors to enter Steps B and C. Other strategies 
may also be used, other than those specifically detailed above. In all cases, 
the end result is that other computers on the network are alerted to the 
presence of an anomaly, which may be a known or an unknown virus, 
within the network. 

Thus, nowhere does Arnold teach or suggest the feature of "directs the local server to 
disconnect the offending system from the network data processing system." Therefore, 
the proposed combination does not result in the claimed invention. Accordingly, the 
Examiner has failed to state a prima facie case of obviousness. 

Additionally, Arnold does not teach or suggest the feature "ignores all further 
access requests by the offending system until receiving an indication that the offending 
system has been disinfected." The Examiner points to column 5, lines 59-65 and column 
24, lines 44^57 of Arnold, cited above, as teaching this feature. As was discussed above, 
the first cited passage, teaches that when a virus is found, the user is alerted and an 
attempt is made to eliminate the virus. The second cited passage, teaches tliat once a virus 
has been detected VERY tries to eUminate the virus. If VERY is unsuccessftil, then an 
automatic restoration of backup files is attempted. If that fails, a message is generated and 
sent to the user, instructing the user to manually restore the files from backup. Ncitlier 
passage, when read separately or together, teaches the feature of "ignores all further 
access requests by the offending system until receiving an indication tliat the offending 
system has been disinfected." Therefore, the proposed combination does not result in the 
claimed invention. Accordingly, the Examiner has failed to sme a prima facie case of 
obviousness. 
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Furthermore, nowhere does Arnold teach the feature of ''ignores all further access 
requests by the offending system until receiving an indication that the offending system 
has been disinfected." Instead, as can be seen in the above cited passage, column 19, line 
58 through column 20, line 1 1 , Arnold teaches that the infected system can continue 
interacting with the rest of the network as shown by several embodiments in which the 
infected computer sends information to other computers prior to the infected computer's 
being cleaned of the virus. Thus, nowhere does Arnold teach or suggest the feature of 
"ignores all further access requests by the offending system until receiving an indication 
that the offending system has been disinfected/' Therefore, the proposed combination 
docs not result in the claimed invention. Accordingly, the Examiner has failed to state a 
prima facie case of obviousness. 

Furtliemiore, Scrverwatch does not cure the deficiencies of Arnold. Scrverwatch 
does not teach the features missing from Arnold, including "ignores all fiirther access 
requests by the offending system until receiving an indication that the offending system 
has been disinfected and directs the local server to disconnect the ofFeoding system from 
the network data processing system," nor does the Examiner cite any portion of 
ServerWatch that teaches these features. Therefore, the praposed combination does not 
result in the claimed invention. Accordingly, the Examiner has failed to state a prima 
^cze case of obviousness. 

Therefore, for all the reasons stated above, Applicants believe that the cited 
references do not teach all the features of independent claim 1, Therefore, the proposed 
combination does not result in the claimed invention. Accordingly, the Examiner has 
failed to state zprima facie case of obviousness. Accordingly, Applicants respectfully 
submit that claim 1 is patentable over the Arnold and Scrverwatch references. 

The present invention, in independent claim 10, which is representative of 
independent claims 20 and 30 with regard to similarly recited subject matter, recites;: 

10. A method for detecting the presence of a computer virus, the 
mctliod comprising; 

receiving, at a bait server, a request to perform a function on the 
bait server; 

identifying an offending system from which the request originated; 
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alerting a local server that a virus attack is in progress and of the 
identity of the offending systemi and 

directing the local server to disconnect tlie offending system from 
the network. 

Arnold does not teach the feature of "directing the local server to disconnect the 
offending system from the network." The Examiner points to column 19, line 60 through 
column 20, line 3, reproduced above, as teaching this feature. As was discussed above in 
the rejection of claim 1, column 19, li.ne 60 through column 20, line 3 does not teach this 
feature. Instead, the cited passage teaches that the kill signal merely contains information 
and is intended primarily to inform neighboring computers of an anomaly existing and 
secondarily to induce them to begin their own virus protection routines. This notification 
does not include any instructions to "disconnect the offending system from the network." 
Thus, nowhere does Arnold teach or suggest the feature of "directing the local server to 
disconnect the offending system from the network.*' Therefore, the proposed combirjation 
does not result in the clainied invention. Accordingly^ the Examiner has failed to state a 
prima facie case of obviousness. 

Furthermore, ServerWatch does not cure the deficiencies of Arnold. ServerWatch 
does not teach the feature missing from Arnold, "directing the local server to discormect 
the offending system from the network," nor does the Examiner cite any portion of 
ServerWatch that teaches this feature. Therefore, the proposed combination does not 
result in the claimed invention. Accordingly, the Examiner has failed to state a prima 
facie case of obviousness. 

Therefore, for all the reasons stated above, Applicants beheve that the cited 
references do not teach all the features of independent claims 10, 20 and 30. Therefore, the 
proposed combination does not result in the claimed invention. Accordingly, the 
Examiner lias failed to state a prima facie case of obviousness. Accordingly, Applicants 
respectfully submit that claims 10, 20 and 30 are patentable over the Arnold and 
ServerWatch references. 

Claims 2-9, 12, 22 and 32 are dependent claims that depend from independent 
claims 1, 10, 20 and 30. As Applicants have ahcady demonstrated that independent 
claims 1 , 10, 20 and 30 are patentable over the Amold and ServerWatch references. 
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Applicants submit that dq>endent claims 2-9. 12, 22 and 32 are patentable over the 
Arnold and Serverwatch references at least by virtue of depending from an allowable 
claim. Consequently, Apphcants respectfully submit that the rejection of claims 2-9, 12, 
22 and 32 have been overcome. Additionally, several claims recite other additional 
combinations of features not suggested by the Arnold and Serverwatch references. 

For example, regarding claim 2, the Examiner concedes, and Apphcants agree, 
that Amold does not teach the feature of '"wherein the address of the bait server is not 
published to the plurality of client data processing systems." However, Serverwatch does 
not teach this feature either. The Examiner points to page 1 of Serverwatch as teaching 
this feature. The Examiner has stated that **[t]his is because the decoy server creates a 
fictitious presence within tlie network." However, just because the Serverwatch product 
creates a fictitious presence, it does not necessarily follow that the address of tlie server is 
"not published to the plurality of client data processing systems." What the Serverwatch 
advertisement states is: 



Network Associates, Inc. today announced the avail ability of its CyberCop 
Sting software, a new decoy" server that silently traces and tracks 
liackers, recording and reporting all intrusive activi ty to security 
administrators. CyberCop Sting is a component of the CyberCop intrusion 
protection software family which also includes CyberCop Monitor, a real- 
time intrusion detection application that monitors critical systems and 
networks for signs of attack and CyberCop Scanner, a network 
vulnerabiUty scarmer, 

CyberCop Sting allows TS managers to silently monitor suspicious activity 
on their corporate network and identify potential problems. It operates by 
creating a series of fictitious corporate systems on a specially outfitted 
server fliat combines moderate security protection with sophisticated 
monitoring technology. The Sting product creates a decoy, virtual TCP/IP 
network on a single server or workstation and can simulate a network 
containing several different t>pes of network devices, including Windows 
NT servers, Unix servers and routers. Each virtual network device has a 
real IP address and can receive and send genuine-looking packets fi-om 
and to the larger network environment. Each virtual network node can also 
run simulated daemons, such as finger and FTP, to further emulate the 
activity of a genuine system and avoid suspicion by would-be intruders. 
While watching all traffic destined to hosts in its virtual network, Sting 
performs IP fragmentation reassembly and TCP stream reassembly on the 
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packets destined to tliese hosts, convincing snoopers of the legitiniacy of 
the secret network they've discovered. 

CyberCop Sting provides a number of benefits for security administrators, 
including; 

• Detection of SLispicious activity inside network; Log jRles serve to alert 
administrators to potential attackers prying into reserved areas. 

• Virtual decoy network can contain multiple "ho$t$" without the expense 
and maintenance that real systems require. 

• CyberCop Sting software's virtual hosts return realistic packet 
information. 

• CyberCop Sting logs snooper activity immediately, so collection of 
information about potential attackers can occur before they leave, 

• CyberCop Sting requires very little file space but creates a sophisticated 
virtual network. 

Network Associates' CyberCop Intrusion Protection suite is a collection of 
integrated security tools developed to provide network risk assessment 
scanning (Scanner), real-time intrusion monitoring (Monitor) and decoy 
trace-and "track capabilities (Sting) to enhance the security and 
survivability of enterprise networks and systems. The suite also includes 
features such as AutoUpdate, modular construction, and Active Security 
integration to provide product integrity. A Network Associates white 
paper on next-generation intrusion detection is available at 
http://www.nai.com/activesecurity/files/ids.doc. 

The above cited passages teach that the Serverwatch product creates a series of fictitious 
systems on a special server. However, nowhere does the advertisement state that the 
address of the special server is "not published to tlie plurality of client data processing 
systems," Simply creating a virtual device does not mean tliat the address of the device, 
or the server on which the virtual device resides, is unknown to other^ real servers and 
devices. It just means that the device is not a real, physical device. Thus, nowhere does 
ServerWatch teach or suggest the feature of 'Svherein the address of tbe bait server is not 
published to the plurality of client data processing systems." Therefore, the proposed 
combination does not result in the claimed invention. Accordingly, the Examiner has 
failed to state a prima facie case of obviousness. 

Claim 9 recites the feature of "wherein the network data processing system is 
configured to* once the offending system lias been disinfected of the clienu allow the 
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offending system to reconnect to the network data processing system." The Examiner 
points to column 5, lines 59-65, cited above, and column 21, lines 30^2, reproduced 
below, as teaching this feature: 

If the user chooses to suspend the process, the method proceeds to Step B, 
in which that process, all parents or children of that process, and perhaps 
all other processes in memory, are scanned for known worms. Cleanup 
involves killing active worm processes (determined by tracing the process 
tree), and deleting worm executables and auxihary files from storage 
media. Backup of files is not likely to be as necessary in this case, as it is 
for viruses, since a worm typically does not alter other executables- 
However, restoration of files may be tjecessary if the worm modifies 
scripts in order to invoke itself, or causes damage to other executable or 
data files. 

The two passages, cited above, teach eliminating the vims, or worm, once it has been 
detected. The Examiner fiirther states that "it is obvious to allow the disinfected system to 
be reconnected to the network after disinfection". However, as was discussed in regards 
to claim 1 above, Arnold does not teach disconnecting the offending computer from the 
network. Therefore, it follows that if Arnold does not teach disconnecting the infected 
system, it cannot teach reconnecting the system once it has been disinfected. Thus, 
Arnold does not teach the feature of 'Svherein the network data processing system is 
configured to, once the offending system has been disinfected of the client, allow the 
offending system to reconnect to the network data processing system," Therefore, the 
proposed combination does not result in tlxe claimed invention. Accordingly, the 
Examiner has failed to state a prima facie case of obviousness. 

Claims 12, 22 and 32 recite the features of '*receiving a reconnect request firom 
the offending system" and '"reconnecting the offending system to the network." Neither 
Arnold nor ServerWatch teach or suggest these features. The Examiner points to column 
24, lines 61-65 as teaching these features: 



The resulting disinfected file is then checked by running CHECKUP 
(Block B) and determining whether the checksum of the file matches the 
value it had prior to infection. If not, automatic or manual restoration of 
the original file can be attempted. 
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The above cited passage teaches verifying that the disinfected file has indeed been 
disinfected. The Examiner further states that "it is inherent that the computer is 
reconnected to the network after the disinfection is verilied.'' However, as was discxissed 
above in regards to claims 1 and 9, Arnold does not teach disconnecting an infected 
computer from the network, Tlierefore, it follows that if Arnold does not teach 
disconnecting the infected system, it cannot teach receiving a request to reconnect the 
computer once it has been disinfected or reconnecting the computer once it has been 
disinfected. Thus, Arnold does not teach the features of ''receiving a rccoraiect request 
from the offending system" or ^'reconnecting the offending system to the network." 
Therefore, the proposed combination docs not result in the claimed invention. 
Accoiriingly, tlie Examiner has failed to state a prima facie case of obviousness. 

Therefore, the rejection of claims 1-10, 12, 20, 22, 30 and 32 under 35 U.S.C, § 
103 has been overcome. 

IL 35 U-S-C- S 103. Obviousness, Claims 11, 21 and 3t 

The Examiner has rejected claims U, 21 and 31 under 35 U.S.C § 103 as being 
unpatentable over Arnold et al (5440723) in view of ServerWatch - Network Associates 
Ships CyberCop Sting in further view of Kim et al (6701440 Bl), This rejection is 
respectfully traversed . 

As to claims 1 1, 21, 31 , the Office Action state$: 

With respect to Claim 1 1, all the limitation is met by the 
combination of Arnold et al and ServerWatch except for the fol lowing 
limitation. The limitation of '"prior to disconnecting the offending system, 
notifying the offending system that it i$ infected v^th a virus" is met by 
Kim et al on column 3, lines 45-47 and 54-61 . 

It would have been obvious to one of ordinary skill in the art to 
combine the teachings of Kim et al within the combination of Arnold et al 
and ServerWatch because quarantining the infected machine and then 
notifying it that is has been infected prevents furtlier spread of the virus to 
tlie rest of the network. 

OfiSce Action dated October 5, 2004, page 4. 
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The Arnold reference does not teach or suggest all the claim limitations in claims 
1 1, 21 and 31, as argued in the response to the rejection of claim 1 above. 

Furthermore, as argued in the response to the rejection of claim 1 above, 
ServerWatch does not cure the deficiencies in Arnold. 

Additionally, Kim does not cure the deficiencies of Arnold and ServerWatch. Kim. 
does not teach the features missing j&om Arnold and ServerWatch, including "ignores all 
further access requests by the offending system until receiving an indication that the 
offending system has been disinfected, and directs the local server to disconnect tlie 
offending system from the network data processing system," nor does the Examiner cite 
any portion of Kim that teaches these features. 

Thus, claims 1 1, 21 and 31 are patentable over the cited references because the 
combination of the Arnold reference witli ServerWatch and Kim would not reach the 
presently claimed invention. The features relied upon as being taught in ±e Amold 
reference are not taught or suggested by that reference, as explained above. Neither 
ServerWatch nor Kim cures the deficiencies of Amold. As a result, a combination of these 
references would not reach the claimed invention in claims 11,21 and 31. 

In view of the above, Applicants submit tliat dependent claims 11, 21 and 31 are 
not taught or suggested by Amold, ServerWatch, Kim or any combination thereof Claims 

II, 21 and 31 are dependent claims depending on independent claims 10, 20 and 30. 
Applicants have already demoiTStrated claims 10, 20 and 30 to be in condition for 
allowance. Applicants respectfully submit that claims 11,21 and 31 are also allowable, at 
least by virtue of their dependency on allowable claims. 

Therefore, the rejection of claims 1 1, 21, 31 underi35 U.S.C. § 103 has been 
overcome. 

III. 35 U.S.C. S 103. Obviousness, Claims 13, 23 and 33 

The Examirier has rejected claims 1 3, 23 and 33 under 35 U.S.C, § 103 as being 
unpatentable over Servcrwatch - Network Associates Ships CyberCop Sting. 
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As to claiTTis 13, 23, 33, the Office Action states: 

With respect to Claim 13, Servenvatch meets the limitation of 
^^onitoring files within the bail server; and respotisive to a change m one 
or more of the files within the bail server, notifying a local server that a 
virus attack is underway^' on pages 1 and 2. CyberCop notifies an 
administrator of intrusive activity. This administrator must reside over a 
server/processor to receive this message. 

It would have been obvious to one of ordinary skill in the art to 
respond to a change in one or more files within the bail server because this 
would alert the administrator of an ongoing or potential attack withm the 
network. 

Office Action dated October 5, 2004, page 5. 

In order to expedite prosecution, claims 1 3, 23 and 33 have been cancelled. 
Therefore, the rejection of claims 13, 23 and 33 under 35 U.S.C, § 103 has been rendered 
moot. 



IV. 35 U,S.C- S 103. Obviousness, Claims 14. 15, 24, 25. 34 and 35 

The Examiner has rejected claims 14, 15, 24, 25, 34 and 35 under 35 U.S.C. § 1 03 
as being unpatentable over ServerWatch - Network Associates Ships CyberCop Sting m 
view of Arnold et al (5440723). 

As to claims 14, 15, 24, 25, 34 and 35, the Office Action states: 

With respect to Claim 1 4, ServerWatch meets all the limitation 
except for the following limitation, Arnold et al meets the limitation of 
*Vherein the change in one or more of the files includes a change in byte 
size of the one or more of the files" on column 5, lines 14-16. 

It would have been obvious to one of ordinary skill in the art at the 
lime the invention was made to combine the teachings of Arnold et al 
within the system of Serverwatch because a checksum of the fi le to 
indicate that the file has been changed allows the system to know if the 
server has been infected by a virus. 

Office Action dated October 5, 2004, page 5. 

In order to expedite prosecution, claims 14, 15, 24, 25, 34 and 35 have been 
cancelled. Therefore, the rejection of claims 14, 15, 24, 25, 34 and 35 under 35 U.S.C. § 
103 has been rendered moot. 
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V. 35 U.S,C> 8 103, Obviousness, aaims i ^^^, 26-29 and 36-39 

The Examiner has rejected claims 16-19, 26-29, and 36-39 under 35 U.S.C. § 103 
as being unpatentable over Arnold et al (5440723). This rejection is respectfully 
traversed. 

As to claims 16-19, 26-29, 36-39, the Office Action states: 

With respect to Claim 16, Arnold et al meets the limitation of 
"monitoring a network for the presence of a computer virus" on colnmn 2, 
lines 5 1-55; and 'Vesponsive to a determination that a virus is detected, 
determining the identify of an offending system witiiin the networic from 
which the virus entered the network" on column 4, hnes 61-66; and 
"directing the local server to disconnect the offending system from the 
network" on column 19, lines 60-68, and on column 20, Unes 1-3. 

It would have been obvious to one of ordinary skill in the art at the 
time of the invention to disconnect the infected computers from the 
network before the systems are cleaned up so as to prevent furtlier spread 
of the virus. The "I'm infected" message sent by the infected system(s) 
has its identifying information as part of the message sent or else the 
recipient of this message would not know which computer in the network 
had sent this message and was infected. 

Office Action dated October 5, 2004, page 6-7. 

Independent claim 16^, which is representative of independent claims 26 and 36 
with regard to similarly recited subject matter, recites; 

16. A method in a bait server for detecting the presence of a computer 
virus, the method comprising; 

monitoring a network for the presence of a computer virus; 

responsive to a determination that a virus is detected, determining 
the identity of an offending system within the network from which the 
virus entered the network; and 

directing the local server to disconnect the offending system from 
the network. 

The Arnold reference does not teach or suggest all the claim limitations in claim 
16. Specifically, Arnold does not teach the feature of "directing the local server to 
disconnect the offending system from the network." The Examiner points to column 19, 
line 60 through column 20, line 3 as teaching this feature. However, as was discussed 
above in the response to the rejection of claim 1, Amold does not teach this feature. 
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Therefore, even in view of the Examiner's comments, Arnold would not teach or suggest 
the presently claimed invention. Accordingly, the Examiner has failed to state b. prima 
facie case of obviousness. 

Therefore, for all the reasons stated above, Applicants believe that Arnold does not 
teach all the features of independent claims 16, 26 and 36. Additionally, for all the reasons 
stated above. Applicants believe that neither AmoJd nor the Examirter's comments teach all 
the features of independent claims 16, 26 and 36. Therefore, even in view of the 
Examiner's comments, Arnold would not teach or suggest the claimed invention. 
Accordingly, the Examiner has failed to state a prima facie case of obviousness. 
Therefore, AppUcants respectfully submit that claims 1 6, 26 and 36 are patentable over 
Arnold. 

Claims 17-19, 27-29 and 37-39 are dependent claims that depend from 
independent claims 1 6, 26 and 36. As Applicants have already demonstrated that 
independent claims 16, 26 and 36 are patentable over Arnold and the combination of the 
Arnold and ServerWatch references. Applicants submit that dependent claims 17-19, 27- 
29 and 37-39 are patentable over Arnold and the combination of the Arnold and 
ServerWatch references at least by virtue of depending from an allowable claim. 
Consequently, AppUcants respectfully submit that the rejection of claims 17-T9, 27-29 
and 37-39 has been overcome. Additionally, several claims recite other additional 
combinations of features not suggested by Arnold or the combination of Arnold and 
ServerWatch. 

For example, claims 1 7, 27 and 37 recite the feature of "Instmcting all devices 
within the network to ignore all requests from the offending system until the offending 
system bas been disinfected and is available for network communication." Arnold does 
not teach tliis feature. The Examiner points to column 19, line 60 through column 20, line 
1 1 , reproduced above, as teacliing this feature. However, the above cited passage does 
not teach this feature. As was discussed above in the response to the rejection of claim 1, 
Arnold does not teach or suggest tlie feature of "ignores all further access requests by the 
offending system until receiving an indication that the offending system has been 
disinfected." Therefore, it follows that Arnold does not teach the feature of "instructing 
all devices within the network to ignore all requests from the offending system until the 
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offending system has been disinfected and is available for network communication," as 
recited in claims 17, 27 and 37 of the present invention. Therefore, even in view of the 
Examiner's comments, Arnold would not teach or suggest the presently claimed 
invention. Accordingly, the Examiner has failed to state a prima facie case of 
obviousness. 

Additionally, claims 1 9, 29 and 39 recite the feature of "responsive to an 
indicaticD that the offending system has beefi disinfected and responsive to a reconnect 
request fix>m the offending system, reconnecting the offending system to the network." 
Arnold does not teach this feature. The Examiner points to column 24, lines 61 through 
65, reproduced above, as teaching this feature. However, the above cited passage does 
not teach this feature. As was discussed above in the response to the rejection of claim 
12, Arnold does not teach or suggest **receiving a reconnect request from the offending 
system" or "recormecting the offending system to the network." Therefore, it follows for 
the same reasons, that Arnold does not teach the feature of *Vesponsive to an indication 
that the ofiFending system has been disinfected and responsive to a reconnect request fix>m 
the offending system, reconnecting the offending system to the network," as recited in 
claims 19, 29 and 39 of the present invention. Thus, Arnold does not teach each and 
every element of claims 19, 29 and 39. Therefore, even in view of the Examiner's 
comments, Arnold would not teach or suggest the presently claimed invention. 
Accordingly, the Examiner has failed to state a prima facie ease of obviousness. 

Therefore, the rejection of claims 16-19, 26-29, and 36-39 under 35 U.S.C. § 102 
and 35 U.S.C. § 1 03 has been overcome. 
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VI. Conclusion 

It is respectfully urged that the subject application is patentable over the cited 
references and is now in condition for allowance. 

The Examiner is invited to call the undersigned at the below-listed telephone 
number if in the opinion of the Examiner such a telephone conference would expedite or 
aid the prosecution and examination of this application. 



DATE: Jjf^L/grK^ ^ 2oo.< 



Respectfully submitted, 




Gerald H. Glanzman 
Reg. No. 25,035 
Yee & Associates, P.C. 
P.O. Box 802333 
Dallas, TX 75380 
(972) 385-8777 
Attorney for Applicants 



GHG/bj 
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